CVE-2024-25008 (GCVE-0-2024-25008)
Vulnerability from cvelistv5 – Published: 2024-08-16 09:42 – Updated: 2024-08-16 13:50
VLAI?
Summary
Ericsson RAN Compute and Site Controller 6610 contains a vulnerability in the Control System where Improper Input Validation can lead to arbitrary code execution, for example to obtain a Linux Shell with the same privileges as the attacker. The attacker would require elevated privileges for example a valid OAM user having the system administrator role to exploit the vulnerability.
Severity ?
6.8 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Ericsson | Ericsson RAN Compute Basebands (all BB variants) |
Affected:
0 , < 24.Q2
(custom)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:ericsson:controller_6610:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "controller_6610",
"vendor": "ericsson",
"versions": [
{
"lessThan": "24.q2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:ericsson:ran_compute:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ran_compute",
"vendor": "ericsson",
"versions": [
{
"lessThan": "24.q2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T13:14:44.851352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T13:50:48.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ericsson RAN Compute Basebands (all BB variants)",
"vendor": "Ericsson",
"versions": [
{
"lessThan": "24.Q2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Site Controller 6610",
"vendor": "Ericsson",
"versions": [
{
"lessThan": "24.Q2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Ericsson RAN Compute and Site Controller 6610 contains a vulnerability in the Control System where Improper Input Validation can lead to arbitrary code execution, for example to obtain a Linux Shell with the same privileges as the attacker. The attacker would require elevated privileges for example a valid OAM user having the system administrator role to exploit the vulnerability."
}
],
"value": "Ericsson RAN Compute and Site Controller 6610 contains a vulnerability in the Control System where Improper Input Validation can lead to arbitrary code execution, for example to obtain a Linux Shell with the same privileges as the attacker. The attacker would require elevated privileges for example a valid OAM user having the system administrator role to exploit the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T09:42:21.010Z",
"orgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
"shortName": "ERIC"
},
"references": [
{
"url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-ericsson-ran-compute-august-2024"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEricsson RAN Compute Basebands: Upgrade to \u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e24.Q1 IP1, \u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e23.Q4 C1, \u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e23.Q3 C3, \u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e23.Q2 C5, \u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e23.Q1 C5 LTE only, \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e22.Q4 C6 LTE only\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Ericsson RAN Compute Basebands: Upgrade to 24.Q1 IP1, 23.Q4 C1, 23.Q3 C3, 23.Q2 C5, 23.Q1 C5 LTE only, 22.Q4 C6 LTE only"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSite Controller 6610: Upgrade to 24.Q2\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Site Controller 6610: Upgrade to 24.Q2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Ericsson RAN Compute and Site Controller 6610 - Improper Input Validation Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
"assignerShortName": "ERIC",
"cveId": "CVE-2024-25008",
"datePublished": "2024-08-16T09:42:21.010Z",
"dateReserved": "2024-02-02T21:33:13.076Z",
"dateUpdated": "2024-08-16T13:50:48.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Ericsson RAN Compute and Site Controller 6610 contains a vulnerability in the Control System where Improper Input Validation can lead to arbitrary code execution, for example to obtain a Linux Shell with the same privileges as the attacker. The attacker would require elevated privileges for example a valid OAM user having the system administrator role to exploit the vulnerability.\"}, {\"lang\": \"es\", \"value\": \" Ericsson RAN Compute and Site Controller 6610 contiene una vulnerabilidad en el sistema de control donde la validaci\\u00f3n de entrada incorrecta puede provocar la ejecuci\\u00f3n de c\\u00f3digo arbitrario, por ejemplo, para obtener un shell de Linux con los mismos privilegios que el atacante. El atacante necesitar\\u00eda privilegios elevados, por ejemplo, un usuario de OAM v\\u00e1lido que tenga el rol de administrador del sistema para explotar la vulnerabilidad.\"}]",
"id": "CVE-2024-25008",
"lastModified": "2024-08-19T13:00:23.117",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"85b1779b-6ecd-4f52-bcc5-73eac4659dcf\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 5.9}]}",
"published": "2024-08-16T10:15:04.823",
"references": "[{\"url\": \"https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-ericsson-ran-compute-august-2024\", \"source\": \"85b1779b-6ecd-4f52-bcc5-73eac4659dcf\"}]",
"sourceIdentifier": "85b1779b-6ecd-4f52-bcc5-73eac4659dcf",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"85b1779b-6ecd-4f52-bcc5-73eac4659dcf\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-25008\",\"sourceIdentifier\":\"85b1779b-6ecd-4f52-bcc5-73eac4659dcf\",\"published\":\"2024-08-16T10:15:04.823\",\"lastModified\":\"2024-08-19T13:00:23.117\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Ericsson RAN Compute and Site Controller 6610 contains a vulnerability in the Control System where Improper Input Validation can lead to arbitrary code execution, for example to obtain a Linux Shell with the same privileges as the attacker. The attacker would require elevated privileges for example a valid OAM user having the system administrator role to exploit the vulnerability.\"},{\"lang\":\"es\",\"value\":\" Ericsson RAN Compute and Site Controller 6610 contiene una vulnerabilidad en el sistema de control donde la validaci\u00f3n de entrada incorrecta puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario, por ejemplo, para obtener un shell de Linux con los mismos privilegios que el atacante. El atacante necesitar\u00eda privilegios elevados, por ejemplo, un usuario de OAM v\u00e1lido que tenga el rol de administrador del sistema para explotar la vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"85b1779b-6ecd-4f52-bcc5-73eac4659dcf\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"85b1779b-6ecd-4f52-bcc5-73eac4659dcf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-ericsson-ran-compute-august-2024\",\"source\":\"85b1779b-6ecd-4f52-bcc5-73eac4659dcf\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-25008\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-16T13:14:44.851352Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:h:ericsson:controller_6610:*:*:*:*:*:*:*:*\"], \"vendor\": \"ericsson\", \"product\": \"controller_6610\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"24.q2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:2.3:h:ericsson:ran_compute:*:*:*:*:*:*:*:*\"], \"vendor\": \"ericsson\", \"product\": \"ran_compute\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"24.q2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-16T13:50:33.653Z\"}}], \"cna\": {\"title\": \"Ericsson RAN Compute and Site Controller 6610 - Improper Input Validation Vulnerability\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.8, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Ericsson\", \"product\": \"Ericsson RAN Compute Basebands (all BB variants)\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"24.Q2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Ericsson\", \"product\": \"Site Controller 6610\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"24.Q2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Ericsson RAN Compute Basebands: Upgrade to 24.Q1 IP1, 23.Q4 C1, 23.Q3 C3, 23.Q2 C5, 23.Q1 C5 LTE only, 22.Q4 C6 LTE only\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eEricsson RAN Compute Basebands: Upgrade to \u003c/span\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003e24.Q1 IP1, \u003c/span\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003e23.Q4 C1, \u003c/span\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003e23.Q3 C3, \u003c/span\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003e23.Q2 C5, \u003c/span\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003e23.Q1 C5 LTE only, \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e22.Q4 C6 LTE only\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}, {\"lang\": \"en\", \"value\": \"Site Controller 6610: Upgrade to 24.Q2\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eSite Controller 6610: Upgrade to 24.Q2\u003c/span\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-ericsson-ran-compute-august-2024\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Ericsson RAN Compute and Site Controller 6610 contains a vulnerability in the Control System where Improper Input Validation can lead to arbitrary code execution, for example to obtain a Linux Shell with the same privileges as the attacker. The attacker would require elevated privileges for example a valid OAM user having the system administrator role to exploit the vulnerability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Ericsson RAN Compute and Site Controller 6610 contains a vulnerability in the Control System where Improper Input Validation can lead to arbitrary code execution, for example to obtain a Linux Shell with the same privileges as the attacker. The attacker would require elevated privileges for example a valid OAM user having the system administrator role to exploit the vulnerability.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"85b1779b-6ecd-4f52-bcc5-73eac4659dcf\", \"shortName\": \"ERIC\", \"dateUpdated\": \"2024-08-16T09:42:21.010Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-25008\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-16T13:50:48.465Z\", \"dateReserved\": \"2024-02-02T21:33:13.076Z\", \"assignerOrgId\": \"85b1779b-6ecd-4f52-bcc5-73eac4659dcf\", \"datePublished\": \"2024-08-16T09:42:21.010Z\", \"assignerShortName\": \"ERIC\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…